Data hk is the abbreviation of Hong Kong, a former British colony and currently an administrative region of the People’s Republic of China. Despite its small size, it has a long history of data protection legislation and a high level of compliance with international standards. Its current laws have been influenced by the European Union’s GDPR, although it has developed its own distinct legal regime – the Personal Data Protection Ordinance (PDPO) – that does not include a definition of personal data.
The PDPO requires that a data user must fulfil a number of core obligations, such as providing information to a data subject on or before the collection of his personal data. These obligations are primarily defined by DPP1 and DPP3. However, the PDPO does not require that these particulars be communicated to data subjects in writing. This is consistent with the approach adopted in other legislative regimes, such as the Mainland Personal Information Protection Law and the General Data Protection Regulation that applies in the European Economic Area.
A data exporter must also consider whether the foreign jurisdiction’s laws and practices are likely to comply with the PDPO and, if not, take supplementary measures to bring the level of protection up to Hong Kong standards. These might include technical measures such as encryption, anonymisation or pseudonymisation, or split or multi-party processing. They might also involve contractual arrangements, such as audit, inspection and reporting, beach notification, and compliance support and co-operation.
For transfers of personal data from a Hong Kong data user to entities outside Hong Kong, or between two entities both of which are located outside Hong Kong when control of the transfer is exercised by a Hong Kong data user, the PCPD has published a set of recommended model contractual clauses. These are very similar to the standard contractual clauses that EEA data exporters are required to include in their contracts under GDPR, and reflect the key elements of a Hong Kong-style transfer arrangement.
The model contractual clauses are not mandatory, but a data exporter that agrees to them must ensure that the resulting contract will be enforceable under Hong Kong law, and that it will take all reasonable steps to implement them in practice. As a matter of good practice, the data exporter should also notify the data subjects of the transfer and the underlying grounds. This will serve to demonstrate its commitment to principles of data transparency and its adherence to good data ethics. It is also likely to be helpful if the data exporter keeps records of all the personal data that it has transferred, and of all efforts to fulfil its obligations in respect of cross-border data transfers. This will provide useful evidence to its auditors in the event of an investigation or a complaint by a data subject. It will also assist the data exporter in its defence against claims of non-compliance with the PDPO. This will be important, given the increasing frequency of data breaches that are occurring in a globalised economy.